The popular instant messaging Android application Go SMS Pro has been pulled from the Google Play Store. At this time, Google has not issued any official statement regarding the unavailability of the app; However, a few days after Singapore Cyber-security firm TrustWave Co. SMS Pro posed serious security threats, it exposed private photos, videos and other files exchanged by its users. Security analysts say China SMS Pro, a news agency based in China, reported a security breach in August. There were over 100 million downloads from Google Play before the Android app was removed.
According to a report by TechCrunch, TrustWave, which has identified a security flaw, has given Go SMS Pro 90 days to resolve the issue, which is a standard practice among vulnerable companies to allow sufficient time for a solution. But after the deadline ended without being asked again, security inspectors went public to ensure everyone’s safety. In a blog post, TrustWave claims that the Go SMS Pro appears to be a vulnerability in Android v7.91, although it is unclear whether other versions of the app had similar flaws. The security company explains that Go SMS Pro, like other messaging applications, allows users to exchange private media files and messages. Additionally, non-application users can receive media files via a special link via SMS.
However, the security company found that it was possible to access the links without any authorization or authentication, meaning that any bad actor with the link could view content such as personal photos or videos. Besides, the URL link is continuous (hexadecimal) and predictable, in other words, easy to intercept and hack. “When sharing media files, a link will be created regardless of where the application is installed. As a result, malicious users will be able to access any media files sent through this service in the future.
The Test Crunch report was also able to verify the TrustWave discovery. The company had access to a user’s phone number, bank transaction screen shot, an arrest log and more via the decoded link. As mentioned, the Go SMS Pro app has been pulled from the Google Play Store, and the company did not share any details about the flaw pointed out in August. Users who still use the app on their Android smartphone are advised to delete it until further information comes from Google or Go SMS Pro.